About the security content of iOS 9

This document describes the security content of iOS 9.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious website may be able to track users in Safari private browsing mode

Description: An issue existed in the handling of HSTS state in Safari private browsing mode. This issue was addressed through improved state handling.

CVE-ID

CVE-2015-5860 : Sam Greenhalgh of RadicalResearch Ltd

CFNetwork

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A person with physical access to an iOS device may read cache data from Apple apps

Description: Cache data was encrypted with a key protected only by the hardware UID. This issue was addressed by encrypting the cache data with a key protected by the hardware UID and the user's passcode.

CVE-ID

CVE-2015-5898 : Andreas Kurtz of NESO Security Labs

CFNetwork Cookies

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker in a privileged network position can track a user's activity

Description: A cross-domain cookie issue existed in the handling of top level domains. The issue was addressed through improved restrictions of cookie creation.

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker with a privileged network position may intercept SSL/TLS connections

Description: A certificate validation issue existed in NSURL when a certificate changed. This issue was addressed through improved certificate validation.

CVE-ID

CVE-2015-5824 : Timothy J. Wood of The Omni Group

CFNetwork SSL

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of RC4. An attacker could force the use of RC4, even if the server preferred better ciphers, by blocking TLS 1.0 and higher connections until CFNetwork tried SSL 3.0, which only allows RC4. This issue was addressed by removing the fallback to SSL 3.0.

CoreAnimation

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may be able to leak sensitive user information

Description: Applications could access the screen framebuffer while they were in the background. This issue was addressed with improved access control on IOSurfaces.

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.

CVE-ID

CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team

CVE-2015-5896 : Maxime Villard of m00nbsd

CVE-2015-5903 : CESG

Entry updated December 21, 2016

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local attacker may control the value of stack cookies

Description: Multiple weaknesses existed in the generation of user space stack cookies. This was addressed through improved generation of stack cookies.

CVE-ID

CVE-2013-3951 : Stefan Esser

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local process can modify other processes without entitlement checks

Description: An issue existed where root processes using the processor_set_tasks API were allowed to retrieve the task ports of other processes. This issue was addressed through added entitlement checks.

CVE-ID

CVE-2015-5882 : Pedro Vilaça, working from original research by Ming-chieh Pan and Sung-ting Tsai; Jonathan Levin

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker may be able to launch denial of service attacks on targeted TCP connections without knowing the correct sequence number

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker in a local LAN segment may disable IPv6 routing

Description: An insufficient validation issue existed in handling of IPv6 router advertisements that allowed an attacker to set the hop limit to an arbitrary value. This issue was addressed by enforcing a minimum hop limit.

CVE-ID

CVE-2015-5869 : Dennis Spindel Ljungmark

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to determine kernel memory layout

Description: An issue existed in XNU that led to the disclosure of kernel memory. This was addressed through improved initialization of kernel memory structures.

CVE-ID

CVE-2015-5842 : beist of grayhash

Kernel

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to cause a system denial of service

Description: An issue existed in HFS drive mounting. This was addressed by additional validation checks.

CVE-ID

CVE-2015-5748 : Maxime Villard of m00nbsd

libc

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue existed in the fflush function. This issue was addressed through improved memory handling.

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.

CVE-ID

CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team

Mail

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker can send an email that appears to come from a contact in the recipient's address book

Description: An issue existed in the handling of the sender's address. This issue was addressed through improved validation.

CVE-ID

CVE-2015-5857 : Emre Saglam of salesforce.com

Multipeer Connectivity

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local attacker may be able to observe unprotected multipeer data

Description: An issue existed in convenience initializer handling in which encryption could be actively downgraded to a non-encrypted session. This issue was addressed by changing the convenience initializer to require encryption.

CVE-ID

CVE-2015-5851 : Alban Diquet (@nabla_c0d3) of Data Theorem

NetworkExtension

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious application may be able to determine kernel memory layout

Description: An uninitialized memory issue in the kernel led to the disclosure of kernel memory content. This issue was addressed through memory initialization.

CVE-ID

CVE-2015-5831 : Maxime Villard of m00nbsd

OpenSSL

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Multiple vulnerabilities in OpenSSL

Description: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg. These were addressed by updating OpenSSL to version 0.9.8zg.

CVE-ID

CVE-2015-0286

CVE-2015-0287

PluginKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious enterprise application can install extensions before the application has been trusted

Description: An issue existed in the validation of extensions during installation. This was addressed through improved app verification.

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Processing malicious data may lead to unexpected application termination

Description: An overflow fault existed in the checkint division routines. This issue was addressed with improved division routines.

CVE-ID

CVE-2015-5840 : an anonymous researcher

Safari

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A local user may be able to read Safari bookmarks on a locked iOS device without a passcode

Description: Safari bookmark data was encrypted with a key protected only by the hardware UID. This issue was addressed by encrypting the Safari bookmark data with a key protected by the hardware UID and the user's passcode.

CVE-ID

CVE-2015-7118 : Jonathan Zdziarski

Entry updated December 21, 2016

Safari

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a malicious website may lead to user interface spoofing

Description: An issue may have allowed a website to display content with a URL from a different website. This issue was addressed through improved URL handling.

CVE-ID

CVE-2015-5904 : Erling Ellingsen of Facebook, Łukasz Pilorz

Safari

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a malicious website may lead to user interface spoofing

Description: Navigating to a malicious website with a malformed window opener may have allowed the display of arbitrary URLs. This issue was addressed through improved handling of window openers.

CVE-ID

CVE-2015-5905 : Keita Haga of keitahaga.com

Safari

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Users may be tracked by malicious websites using client certificates

Description: An issue existed in Safari's client certificate matching for SSL authentication. This issue was addressed through improved matching of valid client certificates.

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: Visiting a malicious website may lead to unintended dialing

Description: An issue existed in handling of tel://, facetime://, and facetime-audio:// URLs. This issue was addressed through improved URL handling.

CVE-ID

CVE-2015-5820 : Andrei Neculaesei, Guillaume Ross

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: QuickType may learn the last character of a password in a filled-in web form

Description: An issue existed in WebKit's handling of password input context. This issue was addressed through improved input context handling.

CVE-ID

CVE-2015-5906 : Louis Romero of Google Inc.

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: An attacker in a privileged network position may be able to redirect to a malicious domain

Description: An issue existed in the handling of resource caches on sites with invalid certificates. The issue was addressed by rejecting the application cache of domains with invalid certificates.

CVE-ID

CVE-2015-5907 : Yaoqi Jia of National University of Singapore (NUS)

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious website may exfiltrate data cross-origin

Description: Safari allowed cross-origin stylesheets to be loaded with non-CSS MIME types which could be used for cross-origin data exfiltration. This issue was addressed by limiting MIME types for cross-origin stylesheets.

CVE-ID

CVE-2015-5826 : filedescriptor, Chris Evans

WebKit

Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later

Description: WebKit's Performance API could have allowed a malicious website to leak browsing history, network activity, and mouse movements by measuring time. This issue was addressed by limiting time resolution.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.